Shulou(Shulou.com)11/24 Report--

Thanks to CTOnews.com netizen Alejandro86 for the clue delivery! CTOnews.com October 5 news, the network security company Checkmarx recently discovered that hundreds of repositories on GitHub have been injected with malicious code by hackers. It is reported that in addition to public repositories, the attack also affected some private repositories, so the researchers speculated that the attack was carried out by hackers using automated scripts.

It is reported that the attack took place from July 8 to July 11 this year, when hackers broke into hundreds of GitHub repositories and used GitHub's open source automation tool Dependabot to falsify submission information in an attempt to cover up malicious activities and make developers ignore the relevant information by thinking that the submission was done by Dependabot.

After inquiry, CTOnews.com learned that the attack can be divided into three stages. The first is to determine the developer's "personal token". Security company researchers explained that in order to carry out Git operations, developers must use personal tokens to set up the development environment, and this token will be stored locally by the developer and can be easily obtained. Because these tokens do not require double authentication, hackers can easily identify these tokens.

The second stage of the ▲ image source Checkmarx is to steal credentials, and researchers are not sure how the hackers obtained the developer's credentials, but they speculate that the most likely scenario is that the victim's computer is infected by a malicious Trojan, and then the malicious Trojan uploads the first stage "personal token" to the attacker's server.

The last stage of ▲ image source Checkmarx is that hackers use stolen tokens to inject malicious code into the repository through GitHub verification, and considering the large scale of this attack, the researchers infer that hackers use automated programs for related deployment.

Security company Checkmarx warns developers to pay careful attention to where the code comes from, even on trusted platforms like GitHub. The reason why hackers can successfully launch an attack is that many developers do not carefully examine the actual changes when they see the Dependabot message.

And because token access logs are only available to enterprise accounts, non-enterprise users cannot confirm whether their GitHub tokens have been obtained by hackers.

The researchers suggest that users consider using a new version of GitHub tokens (fine-grained personal access tokens) to configure token permissions to reduce the damage that hackers can cause when tokens are compromised.

▲ diagram source Checkmarx

▲ drawing Source GitHub reference

Surprise: When Dependabot Contributes Malicious Code

Introducing fine-grained personal access tokens for GitHub

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.